NASA Cloud Contracts Slammed By Auditor

Space agency's early moves into cloud were poorly managed, may have exposed the organization to risk, inspector general reports.

NASA's Next 5 Missions

(click image for larger view)

NASA has scored low marks from its own auditor on its progress in adopting cloud computing technologies. In a report published Monday, the NASA Office of Inspector General concluded that weaknesses in the body's IT governance and risk management practices have "impeded" it from gaining the full benefits of cloud.

For example, several NASA centers moved systems and data into the public cloud without the knowledge or consent of NASA's Office of the CIO (OCIO), while it struck deals with suppliers using contracts that "failed to fully address the business and IT security risks unique to the cloud environment." Of five deals the IG looked at closely, not one came close to meeting "recommended best practices for ensuring data security," it said. At the same time, NASA seems to have signed deals that had no clauses for making sure contractor performance would be measured, reported and enforced, or whether these new cloud partners had the right federal privacy, discovery, or data retention and destruction credentials or procedures in place.

The IG also reported that one or two "moderate impact" NASA IT systems ran in a public cloud environment for about two years without authorization from its OCIO, and without any "security or contingency plan" or test of any systems' security controls. That's because, it said, the agency's IT leadership wasn't aware of all the cloud services and suppliers that various NASA departments were using, nor was any of it centrally managed.

This occurred in spite of the NASA OCIO's Federal Risk and Authorization Management Program (or FedRAMP) compliant plan for getting cloud into the organization. However, it appears that plan wasn't rolled out to departments to help them get the most compliant deals.

Even so, NASA hasn't bet the farm on cloud just yet, spending only $10 million of its $1.5 billion yearly IT budget on the technology. In addition, according to the audit, so far about a million dollars a year of IT savings are being garnered by cloud.

Still, as many as 75% of new IT programs are projected to have some cloud element between now and 2018. Also, a big chunk of its public data could be there and as much as 40% of heritage systems, too. As the study stresses, "As NASA moves more of its systems and data to the cloud, it is imperative that the agency strengthen its governance and risk management practices to safeguard its data while effectively spending its IT funds."

The report lists a set of recommendations for recently appointed NASA CIO Larry Sweet to rectify the agency's first cloud moves. It noted that Sweet's team "concurred with our recommendations and proposed corrective actions," but committed to follow its suggested means of improving the agency's IT governance and risk management practices "subject to the availability of funds."

Tough to know if cloud providers have the correct federal requirements in place. If fedramp would get with the program, and certify more than just a few measly IaaS providers (which does not offer much - most customers are after either PaaS or SaaS), then perhaps it would make implementing in the cloud, AND the oversight easier!

Its really too bad that the current administration is pushing organizations like NASA to the cloud. NASA has no reason to be in the cloud, nor does a large majority of the rest of the Federal Government. We have children in Washington that have no idea what they are doing.

There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.